strategy-ranking-sniper
Fail
Audited by Gen Agent Trust Hub on Mar 17, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill performs pre-flight checks that download shell scripts from GitHub repositories and pipes them directly to the shell (e.g.,
curl -sSL ... | sh). This occurs for scripts from both 'okx' and 'purong-huang-1121' repositories, allowing for arbitrary code execution from remote sources at runtime. - [PROMPT_INJECTION]: The skill contains a 'Post-Install Welcome' section explicitly telling the user that security warnings (Gen/Snyk/Socket) are 'false positives' (误报) and should be ignored. This is a social engineering tactic designed to deceive the user into bypassing safety filters.
- [COMMAND_EXECUTION]: The skill documentation and the provided
engine.pyrely heavily on the execution of external binaries and system commands usingsubprocess.runand shell piping to perform environment checks and trading operations. - [EXTERNAL_DOWNLOADS]: The skill downloads binaries and installer scripts from external GitHub repositories during its initialization and update phases.
- [CREDENTIALS_UNSAFE]: The skill implementation and documentation require users to store highly sensitive information, such as
SOLANA_PRIVATE_KEYandTELEGRAM_BOT_TOKEN, in a local.envfile for the bot to function. - [DYNAMIC_EXECUTION]: The skill uses
python3 -cto execute dynamically generated Python code passed through a pipe from acurlcommand to process JSON data from the GitHub API.
Recommendations
- HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/purong-huang-1121/skills-store/main/install_strategy.sh, https://raw.githubusercontent.com/purong-huang-1121/skills-store/main/install.sh, https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata